Phishing is the most common way accounts get compromised — not because people are careless, but because modern phishing emails are good. They look real. The signals that distinguish them from legitimate email are subtle. Here’s what to actually look for.
The sender address, not just the name
Email clients show you the sender’s display name prominently. The actual email address is smaller and often hidden. An email can say it’s from “PayPal Support” while the address is paypal-security@notifications-paypal.com — which is not PayPal.
On desktop: hover over the sender name to reveal the full address. On mobile: tap the sender name to expand it. Look at the domain — the part after the @. paypal.com is legitimate. notifications-paypal.com is not. paypa1.com (with a 1 instead of an l) is not. Common tricks include subdomains (paypal.com.attacker.com — the real domain is attacker.com), hyphens (pay-pal.com), and character substitution (using rn for m, 0 for o).
Urgency and threats
Phishing emails are engineered to make you act without thinking. “Your account will be suspended in 24 hours.” “Unauthorized login detected — click here immediately.” “Action required: verify your information now.” The urgency is designed to short-circuit your skepticism.
Legitimate companies almost never threaten immediate account closure via email without prior warning. If an email creates strong urgency, that’s a signal to slow down, not speed up. Go directly to the company’s website by typing the address in your browser — don’t click the link in the email — and check if the issue actually exists on your account.
Links that don’t match what they claim
Hover over any link in an email before clicking it. The URL that appears in the status bar or tooltip is where the link actually goes — it may be completely different from the text displayed. “Click here to verify your account” might go to a domain you’ve never heard of.
Also watch for URL shorteners (bit.ly, tinyurl.com) — you can’t see the destination. And for long, complicated URLs designed to make the malicious domain hard to spot: secure-login-paypal.com/account/verify/user/your@email.com/token=abc — the domain is still secure-login-paypal.com, not paypal.com.
Attachments you weren’t expecting
Unexpected attachments are a major attack vector — Word documents with macros, PDFs with embedded links, ZIP files containing executables. Legitimate services rarely email you unsolicited attachments. If you weren’t expecting a document from someone and an email arrives with one, don’t open it.
If it appears to be from someone you know, contact them via a separate channel (call them, send a new email) to confirm they actually sent it before opening. Email accounts get compromised and used to send malicious attachments to the owner’s entire contacts list.
Generic greetings and odd formatting
“Dear Customer,” “Hello User,” or just your email address instead of your name are signals that the email wasn’t generated from a system that actually knows who you are. Real transactional emails from companies you have accounts with will typically include your name or username.
Grammar and formatting issues used to be reliable signals of phishing — they still are for less sophisticated attacks, but AI-generated phishing emails are now grammatically perfect. Don’t rely on typos to identify phishing; focus on the structural signals above instead.
What to do if you’re not sure
Don’t click. Instead, go directly to the company’s website by typing the URL yourself, log in, and check if the claimed issue exists. If the email says your Apple ID was used to make a purchase, go to appleid.apple.com directly — not via any link in the email — and look at your purchase history.
You can also forward suspicious emails to the company’s phishing report address. Most major companies have one: phishing@paypal.com, reportphishing@apple.com, phishing@amazon.com. They’ll confirm whether the email is legitimate.
The bottom line
Check the actual sender domain, not the display name. Treat urgency as a red flag. Hover over links before clicking. Don’t open unexpected attachments. When in doubt, go directly to the site. None of these take more than a few seconds and they catch the vast majority of phishing attempts before you click anything.